11.12 Linuxconf via TCP Port 98Linuxconf is a GUI-based configuration tool for Linux that allows the SysAdmin to configure things such as networking and printer services. Besides root being able to start it via the command linuxconf it offers http requests via TCP port 98. It is nicely implemented, easy to use, and has a format similar to recent Windows-based configuration tools to ease people's transition to Linux. On all known distributions, by default Linuxconf is configured not to listen on this port so this vulnerability can happen only if you alter this default.
However, root can enable it to accept requests on port 98 from whatever system or network is specified. Once this is done no password is required to make any desired changes. Certainly, the program cannot detect whether the person interacting with it from that remote system is root so this is a vulnerability unless all users on such a system are trusted. Additionally, this leaves the system open to IP address spoofing, which is discussed in "Packet Spoofing Explained" on page 239. Next, for some operations, it will request root's password. Because it is using http rather than https, this password will be transmitted over the network in clear text. This makes root's password vulnerable to sniffing. Lastly, recent reports indicate another possible vulnerability in Linuxconf when it is listening on TCP port 98. This vulnerability has not been proven at this time. Because of these problems, it is recommended that network access be disabled except on protected networks. Additionally, it is recommended that the organization's firewall block requests to TCP port 98 coming in from the Internet for an added "Ring of Security" protection. |
Top |